Editas Medicine, Inc. 10-K Cybersecurity GRC - 2025-03-05

Page last updated on March 5, 2025

Editas Medicine, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-05 16:21:12 EST.

Filings

10-K filed on 2025-03-05

Editas Medicine, Inc. filed a 10-K at 2025-03-05 16:21:12 EST
Accession Number: 0001650664-25-000022

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We have established certain processes for assessing, identifying and managing cybersecurity risks, which are built into our information technology functions and are designed to help protect our information, assets and operations from internal and external cyber threats. Such processes include physical, procedural and technical safeguards, response plans, regular tests on our systems, incident simulations and routine review of our policies and procedures to identify risks and refine our practices. We engage certain external parties , including consultants, independent privacy assessors, computer security firms and risk management and governance experts, as appropriate to enhance our cybersecurity oversight. We consider the internal risk oversight programs of third-party service providers before engaging them in order to help protect us from any related vulnerabilities. We do not believe that there are currently any risks from known cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. For additional information regarding risks we face, please refer to Part I, Item 1A “Risk Factors-Risks Related to Employee Matters, Managing Growth, Public Health and Information Technology-Security breaches and other disruptions to our information technology structure could compromise our information, disrupt our business and expose us to liability, which would cause our business and reputation to suffer” of this Annual Report on Form 10-K. The Audit Committee of our Board of Directors oversees our cybersecurity and data privacy risk management activities, and reports to the Board regarding such oversight as appropriate. The Audit Committee receives updates from management regarding cybersecurity matters not less than twice per year, and is notified between such updates regarding any significant new cybersecurity threats or incidents. Our Head of Information Security leads the operational oversight of company-wide cybersecurity strategy, policy, standards and processes, and works across relevant departments to assess and help prepare us and our employees to address cybersecurity risks. The Head of Information Security has approximately 20 years of cybersecurity expertise, including more than 15 years working in information security with the U.S. Federal Reserve System, serving most recently as the Assistant Vice President for Operations and Information Security. He has received both a GIAC Security Leadership certificate and a Certified Information Systems Security Professional certification. We have also established a cross-functional Cybersecurity Incident Response Team led by our Head of Information Security serving as the chair and consisting of senior-level functional leaders, with appropriate members of our executive leadership team added on an ad hoc basis as necessary for any particular threat or incident. This team seeks to safeguard the confidentiality, integrity, and availability of our critical information assets and protect against cyber threats through establishing a proactive and effective incident response program, fostering a culture of security awareness, and ensuring the continuous improvement of our incident response capabilities. In the event of a cyber security incident, the team is responsible for the swift detection, containment, mitigation, and recovery from such incident to minimize business disruption, protect intellectual property, and maintain the trust of our stakeholders. In an effort to deter prevent and detect cyber threats, we provide all employees, including part-time and temporary employees, with a data protection, cybersecurity and incident response and prevention training and compliance program, which covers a range of timely and relevant topics. Past topics have included social engineering, phishing, password protection, confidential data protection, asset use and mobile security. The training and compliance program functions to educate employees on the importance of reporting all incidents immediately. We also use technology-based tools to mitigate cybersecurity risks and to bolster our employee-based cybersecurity programs.

Company Information